Privacy Policy
This Privacy Policy explains how CBuddy Private Limited (operating as EngagePro, part of the Bluenath ecosystem) collects, uses, stores, and protects your personal data in compliance with the Digital Personal Data Protection Act, 2023 (DPDPA) and other applicable Indian laws.
Overview & Scope
This Privacy Policy applies to all users of EngagePro — including brand advertisers, content creators onboarded via Bluenath, and visitors to our website (engagepro.bluenath.com). By accessing or using our platform, you agree to the collection and use of information as described herein.
EngagePro is an AdTech platform operated by CBuddy Private Limited, a company incorporated under the Companies Act, 2013 (CIN: U62013DL2024PTC428390), with its registered office at 2-A/3 S/F Front Side, Asaf Ali Rd, Turkman Gate, Minto Road, New Delhi – 110002, Delhi. PAN: AALCC7196F.
EngagePro is part of the Bluenath ecosystem — a creator OS and social media management platform. When you use EngagePro, certain data may be shared between EngagePro and Bluenath in accordance with this Policy and the data-sharing agreements in place between both systems.
This Policy is governed by and construed in accordance with the laws of India, including the Digital Personal Data Protection Act, 2023 (DPDPA), the Information Technology Act, 2000 (IT Act), the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI Rules), and any other applicable regulations.
Information We Collect
2.1 Information You Provide Directly
When you register, onboard, or use our platform, we collect:
- Identity information: Full legal name, email address, mobile number
- Business information: Brand/company name, GSTIN, PAN card number, business category
- KYC documentation: PAN card (front and back images), legal name as per PAN, residential/registered address
- Bank account details: Account number, IFSC code, bank name (for creator payouts)
- Aadhaar last 4 digits (optional, for enhanced KYC)
- Campaign data: Campaign briefs, guidelines, ad materials, uploaded documents
- Communications: Messages, dispute descriptions, and correspondence through our collaboration workspace
- Rate card details (for creators): Per-ad pricing, delivery timelines, monthly capacity preferences
2.2 Information Collected Automatically
When you access our platform or integrate the @bluenath/engage analytics module into your website, we automatically collect:
- Device and browser information: User agent, operating system, browser type and version
- Usage data: Pages visited, time on page, click events, session duration, referrer URL
- IP address and approximate geographic location (city/region level via MaxMind GeoIP)
- Website analytics events: Page views, conversions, add-to-cart actions, purchases, signups, installs (only from websites that have integrated our module)
- Session identifiers and analytics tokens
- Log data: Server logs, error reports, API access timestamps
2.3 Information from Third Parties
- Social media account data from Bluenath: Platform usernames, follower counts, engagement metrics, audience demographics, content classifications — shared via the Bluenath Internal Query API
- App Store & Play Store data: Install counts, ratings (fetched via Apify for campaigns with Installs as KPI)
- YouTube/Instagram video data: View counts, engagement data (fetched via Apify for campaigns with Views as KPI)
- Payment gateway data: Payment status, transaction reference numbers (from PayU — we do not store full card details)
- MSG91: OTP delivery status and mobile number validation
Sensitive Personal Data: PAN card numbers, bank account details, and KYC documents are classified as Sensitive Personal Data or Information (SPDI) under Rule 3 of the IT (SPDI) Rules, 2011. This data is encrypted at rest using AES-256-GCM and is accessible only to authorised personnel for KYC review and payout processing.
How We Use Your Information
We use your personal data strictly for the following purposes:
3.1 Platform Operations
- Creating and managing your EngagePro account (advertiser or creator)
- Authenticating your identity via OTP-based login
- Processing campaign creation, payment collection, and fund management
- Executing the Smart Match AI matching algorithm to connect brands with suitable creators
- Facilitating collaboration between advertisers and creators (messaging, date coordination, ad submission)
- Verifying ad deliverables and managing the dispute resolution process
3.2 Payments & Financial Compliance
- Processing campaign payments via PayU payment gateway
- Managing advertiser wallet balances and applying credits to new campaigns
- Calculating and deducting platform fees (17.5% = 15% platform + 2.5% payment gateway charges)
- Deducting TDS at 10% under Section 194R of the Income Tax Act, 1961, where applicable (annual payout exceeding ₹20,000)
- Issuing Form 16A (TDS certificate) quarterly to creators
- Generating GST invoices within 7 days of payout for GST-registered creators
- Maintaining financial ledgers and audit trails as required by law
3.3 Analytics & Attribution
- Providing general website analytics to advertisers who have integrated the @bluenath/engage module
- Running Bayesian attribution models (Interrupted Time Series analysis) to calculate campaign-wise ROI
- Segregating multi-campaign analytics data using statistical modelling
- Tracking KPI-specific metrics: app installs, social media views, website conversions, signups
3.4 Legal & Compliance Obligations
- Verifying KYC details in compliance with the Prevention of Money Laundering Act, 2002 (PMLA) and FEMA
- Complying with income tax reporting requirements
- Responding to lawful requests from government authorities, courts, or regulatory bodies
- Enforcing our Terms and Conditions, including dispute resolution and creator penalty systems
3.5 Communications
- Sending OTP messages for authentication via MSG91
- Sending transactional emails (campaign updates, payout notifications, dispute alerts) via AWS SES
- Sending in-app push notifications via Firebase Cloud Messaging (FCM)
- Sending platform announcements, policy updates, and system alerts
We do not use your personal data for behavioural advertising, sell your data to third parties, or use it for any purpose incompatible with those listed above without your explicit consent.
We do not sell, rent, or trade your personal data. We share information only in the following circumstances:
4.1 Within the Bluenath Ecosystem
EngagePro and Bluenath operate as integrated but distinct systems. Data is exchanged via a secure, mutually-authenticated internal API (mTLS). Specifically:
- Creator profile data, audience metrics, and rate card information are shared from Bluenath to EngagePro for campaign matching
- Collaboration state updates, ad request notifications, and payout events are pushed from EngagePro to Bluenath via HMAC-signed webhooks
- No Bluenath database is directly queried by EngagePro — all access is through controlled API endpoints with audit logging
4.2 Service Providers (Data Processors)
- PayU India Pvt. Ltd. — payment processing (subject to PayU's privacy policy)
- Amazon Web Services (AWS) — cloud infrastructure, S3 storage (KYC documents in private bucket, ad materials in CDN-backed bucket), SES for email
- MSG91 — OTP and SMS delivery
- Google Firebase — in-app push notifications
- Apify Platform — external creator data fetching for advanced discovery
- MaxMind — IP-based geolocation for analytics
- PostgreSQL/TimescaleDB hosted on our secure infrastructure — analytics event storage
All third-party service providers are bound by contractual data processing agreements and are permitted to use your data only to provide services to us.
4.3 Legal Disclosures
- When required by law, court order, or government authority
- To protect the rights, property, or safety of CBuddy Private Limited, our users, or the public
- In connection with legal proceedings, investigation of fraud, or enforcement of our Terms
4.4 Business Transfers
In the event of a merger, acquisition, or sale of all or substantially all of our assets, your data may be transferred to the acquiring entity. You will be notified via email and/or a prominent notice on our platform at least 30 days before any such transfer.
Data Storage & Security
We take the security of your personal data seriously and implement industry-standard technical and organisational measures:
5.1 Encryption
- All data in transit is encrypted using TLS 1.2 or higher
- PAN card numbers and sensitive KYC fields are encrypted at rest using AES-256-GCM
- Bank account numbers: only the last 4 digits are retained after KYC approval; full numbers are never logged
- API keys are hashed using bcrypt (cost factor 12) before storage; only the prefix is stored for identification
- KYC documents are stored in a private AWS S3 bucket; access is via pre-signed URLs with a 15-minute expiry
5.2 Access Controls
- Inter-service communication uses mutual TLS (mTLS) with 30-day rotating certificates
- The admin portal is accessible only from authorised IP ranges
- All admin actions on financial data are logged with CRITICAL severity to an immutable audit log
- JWT-based authentication (RS256) with 15-minute access tokens and 7-day refresh tokens
- Rate limiting: 100 requests/minute per IP on public endpoints; 1,000 requests/minute per API key on analytics endpoints
5.3 Infrastructure
Our infrastructure is hosted on AWS (ap-south-1 region, Mumbai) and managed via Docker/Kubernetes. We conduct regular security audits and maintain an error budget per our non-functional requirements. Despite these measures, no system is completely secure — we encourage you to use strong, unique passwords and report any suspected security issues to our security team.
Breach Notification: In the event of a personal data breach that is likely to result in risk to your rights, we will notify you and the Data Protection Board of India (when constituted) as required under the DPDPA, 2023, within the timeframes prescribed by law.
We use cookies and similar tracking technologies on our web platform for the following purposes:
6.1 Types of Cookies We Use
- Strictly Necessary Cookies: Session management, CSRF protection, authentication tokens. These cannot be disabled as they are essential for the platform to function.
- Functional Cookies: Remembering your preferences (theme, language), campaign filter settings, and dashboard layout.
- Analytics Cookies: Understanding how users interact with our platform (page views, feature usage) — collected internally, not shared with ad networks.
- Security Cookies: Fraud detection, rate limiting, and bot protection.
6.2 The @bluenath/engage Module
If you are an advertiser who has integrated the @bluenath/engage analytics module into your own website, this module collects visitor events (page views, conversions, purchases) on your website and sends them to EngagePro servers via your API key. You are responsible for informing your own website visitors about this tracking and obtaining any necessary consents under applicable law.
6.3 Managing Cookies
You can control cookies through your browser settings. Disabling strictly necessary cookies will impair platform functionality. You may also opt out of functional and analytics cookies via our cookie preference centre accessible from the platform footer.
Your Rights Under DPDPA 2023
Under the Digital Personal Data Protection Act, 2023 and other applicable laws, you have the following rights with respect to your personal data:
- Right to Access: Request a summary of personal data we hold about you and the purposes for which it is processed.
- Right to Correction: Request correction of inaccurate or incomplete personal data.
- Right to Erasure: Request deletion of your personal data, subject to legal retention obligations (e.g., financial records, tax compliance data).
- Right to Grievance Redressal: Raise a complaint with our Grievance Officer (details in Section 12) and receive a response within 30 days.
- Right to Withdraw Consent: Where processing is based on your consent, you may withdraw it at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.
- Right to Nominate: Nominate an individual to exercise your rights in the event of your death or incapacity (as provided under DPDPA).
- Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.
To exercise any of these rights, submit a request to privacy@bluenath.com. We will respond within 30 days. We may require identity verification before processing your request. Requests that are manifestly unfounded, repetitive, or excessive may be declined or may attract a reasonable fee.
Data Retention
We retain your personal data for as long as necessary to fulfil the purposes for which it was collected, comply with legal obligations, resolve disputes, and enforce agreements:
- Account data: Retained for the duration of your account and 3 years thereafter
- KYC documents: Retained for 5 years post-last transaction (PMLA, 2002 requirement)
- Financial records & ledger entries: 8 years (Income Tax Act, 1961 requirement)
- Campaign data & analytics events: 3 years from campaign end date
- Communication logs (messages, collaboration chat): 2 years from collaboration end
- Audit logs: 3 years (immutable)
- OTP / authentication logs: 90 days
- Cookies / session data: Session cookies expire on browser close; persistent cookies within 12 months
After the applicable retention period, data is securely deleted or anonymised such that it can no longer identify you.
Children's Privacy
EngagePro is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from minors. If you are a parent or guardian and believe your child has provided personal data to us, please contact us immediately at privacy@bluenath.com. Upon verification, we will delete such data promptly.
Cross-Border Data Transfers
Our primary data infrastructure is located in India (AWS ap-south-1, Mumbai). However, certain service providers (such as Firebase FCM, MaxMind) may process data outside India. Where data is transferred outside India, we ensure appropriate safeguards are in place in accordance with the DPDPA, 2023, and relevant government notifications, including:
- Standard contractual clauses with service providers
- Processing only by entities located in jurisdictions deemed adequate by the Indian government
- Consent where required
Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:
- Post the updated Policy on this page with a revised 'Last Updated' date
- Send an email notification to all registered users at least 14 days before the changes take effect
- Display a prominent notice on the EngagePro dashboard
Your continued use of the platform after the effective date of the updated Policy constitutes acceptance of the changes. If you do not agree with the changes, you must discontinue use and request account deletion.
Contact & Grievance Officer
For any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact our designated Grievance Officer as required under Rule 5(9) of the IT (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021:
Grievance Officer — CBuddy Private Limited
If you are not satisfied with our response, you may approach the Data Protection Board of India once constituted under the DPDPA, 2023, or any other competent authority under applicable law.
This Privacy Policy was last updated on 10 May 2025. For the Terms and Conditions governing use of our platform, please read our Terms & Conditions.